Jump to content
Premo36

MachineLearning/Anomalous.100% false positive (I'm the software developer)

Recommended Posts

Hi,

I've just finished developing my software, and I was ready to release it, but Malwarebytes detected it as a "MachineLearning/Anomalous.100%" malware.

I know I'ts a false positive because I developed the software.

The .exe file in the .zip it's the one that has been detected. It's a C# (.Net framework 3.5) frontend that provides a user interface to start another software (Not included as it's not mine and it's not recognized as a malware) with some arguments (arguments depends on what the user do within the frontend). It stores some data to keep preferences in a folder in %appdata% and download from the internet a text file that it use to eventually notify the user about a new version. The same txt also contains 2 urls, one for the new version download page and the other one it's used to download another text file that contains the full changelog history. That pretty much all it does.

The p36_utilities.dll it's a library that I wrote and it contains some generic functions to read and write data. My software need it to work. It was not detected.

In the attached .zip i've also saved "log.txt" which is the malwarebytes log of the scan.

Thank you

DML2.zip

Share this post


Link to post
Share on other sites
10 minutes ago, shadowwar said:

This should no longer be detected. Thanks for reporting,.

 

Thank you, how much do I have to wait before the malwarebyte definition updates rolls out? (I've checked a few minuts ago, after I deleted temp files and I rebooted my pc, malwarbytes still detects it). Also I would like to know if I have to resend the exe every time i update my software and also what kind of suspicius behaviour my software had that may have triggered malwarebytes machine learning heuristic, so next time I can avoid it. Thanks again for your help.

Share this post


Link to post
Share on other sites

Its not detected locally here. It should of been within 10 mins of my last post.

Maybe shutdown Malwarebytes and restart it and see if its still detected.

If you do change it it would have to be whitelisted again for now. You can save some time though by uploading it to virustotal.com as our cloud would get a copy and learn whether its malware or not.

 

I cant get into specifics but basically it looks for file anomalies similiar to what malware does.  Files not signed. Weird version info. Empty sections or packed. etc.

If the file was valid digital signed it goes a long way to preventing fps.

 

Share this post


Link to post
Share on other sites
1 hour ago, shadowwar said:

Its not detected locally here. It should of been within 10 mins of my last post.

Maybe shutdown Malwarebytes and restart it and see if its still detected.

If you do change it it would have to be whitelisted again for now. You can save some time though by uploading it to virustotal.com as our cloud would get a copy and learn whether its malware or not.

 

I cant get into specifics but basically it looks for file anomalies similiar to what malware does.  Files not signed. Weird version info. Empty sections or packed. etc.

If the file was valid digital signed it goes a long way to preventing fps.

 


My desktop PC keeps detecting it as a malware, even after a few reboots. However on my laptop it's not detected anymore. So probalbly some sort of caching is happening on my desktop (What file should I delete to force malwarebytes to truly rescan?).

I uploaded just the .exe on virustotal as you suggested and malwarebyte does not detected it.

https://www.virustotal.com/gui/file/4fc7fc31e2e3afac8a41bda3230b9aca87907711d1eaaab9ddf372e6c87474ce/detection

Thank you.

Share this post


Link to post
Share on other sites
1 hour ago, Premo36 said:

(What file should I delete to force malwarebytes to truly rescan?).

If it's still detected on your end, then Quit malwarebytes from the systemtray. Then navigate to the following folder:

C:\ProgramData\Malwarebytes\MBAMService

In there, locate the file HubbleCache and delete it.

Restart Malwarebytes again. A new Hubblecache will then be created again, so it will properly pick it up and remember to not detect this anymore.

Share this post


Link to post
Share on other sites
23 hours ago, Porthos said:

If it's still detected on your end, then Quit malwarebytes from the systemtray. Then navigate to the following folder:

C:\ProgramData\Malwarebytes\MBAMService

In there, locate the file HubbleCache and delete it.

Restart Malwarebytes again. A new Hubblecache will then be created again, so it will properly pick it up and remember to not detect this anymore.

It worked, thanks, now it's not recognized anymore.

Share this post


Link to post
Share on other sites
Just now, Premo36 said:

It worked, thanks, now it's not recognized anymore.

Your Welcome

Share this post


Link to post
Share on other sites

I've just pushed a small update on my software to fix a small bug (The only difference in the whole code it's that I've just removed a space in a string), but that bug was preventing users to load .ini files which is one of  the core features, so i had to do a quick fix. Malwarebytes on my pc is back at recognizing it as a malware. I've uploaded again on virus total but it didn't find anything (even after a few rescan).

https://www.virustotal.com/gui/file/6ffbb7b73c00bf00a41234c519a83ec2cee3cd5d7ac5e93f812f1c17fba7c608/detection

The detection is still "MachineLearning/Anomalous.100%"

I've attached the new .exe, the .dll that is needed to the .exe to work and the malwarebytes log in the zipped file.

Would it help if every build I do is uploaded (even the developers one) to virus total? Will this train malwarebytes to stop recognizing my software as a malware?

Thank you.

DML2_publish.zip

Share this post


Link to post
Share on other sites

Because it is Machine Learning.... no at every update, after the next or 2 more, the Machine learning will learn than the updates for your software is the same safe software

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.